-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stack smashing detected
in /usr/bin/clevis-encrypt-tpm2: line 133: 10496 Aborted
#109
Comments
Have you tried passing |
Works for me with Do you get the same error message in the the line 133 of clevis-encrypt-tpm2? /usr/bin/clevis-encrypt-tpm2: line 133: 10496 Aborted |
Yeah, same line 133 error message in both cases, for me. Here's with
|
Changed title to reflect that it also happens with correct configuration |
stack smashing detected
when passing incorrect configurationstack smashing detected
in /usr/bin/clevis-encrypt-tpm2: line 133: 10496 Aborted
Output from dmesg: [root@fedora-iot demo]# clevis luks bind -d /dev/sdb1 tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1,2,3,4,5,6,7,8,9"}'
*** stack smashing detected ***: <unknown> terminated
/usr/bin/clevis-encrypt-tpm2: line 133: 3142 Aborted (core dumped) tpm2_createpolicy -Q -P -L "$pcr_bank":"$pcr_ids" -F $TMP/pcr.digest -f $TMP/pcr.policy
[root@fedora-iot demo]# dmesg | grep tpm
[ 854.871514] tpm tpm0: tpm_transmit: tpm_recv: error -5 |
it works with an empty pin configuration, so the problem is the policy creation part. clevis luks bind -d /dev/sdb1 tpm2 '{}' unfortunately, this will unlock the disk always, without any integrity protection from the TPM. |
@dnoliver @sergio-correia this seems to be a bug in the
You can also check with the test_tpm2_unseal.sh integration test that's very similar to what the clevis tpm2 pin does. |
@sergio-correia the problem was that I was trying to use more than 8 PCRs to do the sealing, which is forbidden by the TPM specification. By using 8 PCRs or less, I do not run into this issue. Also, there is an updated tpm2-tool package (in fedora) that tells you that the configuration is invalid, instead of the |
Fixed! |
Similar/related to #103
using
pcr_banks
instead ofpcr_bank
results in anstack smashing detected
errorThe text was updated successfully, but these errors were encountered: